harvester: [BUG][Multiple Cluster]Project Member cannot create resources in harvester-public ns

Describe the bug

To Reproduce Steps to reproduce the behavior:

  1. Go to Template Create Page
  2. Switch to harvester-public namespace
  3. Create Template faile

webhook throw errors

[virtualmachinetemplates.harvesterhci.io](http://virtualmachinetemplates.harvesterhci.io/) is forbidden: User "u-h4m68" cannot create resource "virtualmachinetemplates" in API group "[harvesterhci.io](http://harvesterhci.io/)" in the namespace "harvester-public"

Expected behavior

  1. Member role could create resources in harvester-public namespace

Support bundle

Environment:

  • Harvester ISO version:
  • Underlying Infrastructure (e.g. Baremetal with Dell PowerEdge R630):

Additional context Add any other context about the problem here.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 15 (6 by maintainers)

Most upvoted comments

@noahgildersleeve Thanks for your testing. Sorry for the reproduced steps are not detailed. And there have a backend issue 2788 that makes harvester-public very confused.

Here are my reproduce steps:

  1. Import Harvester into Rancher
  2. Create cluster member user
  3. Add a user to be a cluster member in Harvester via RBAC
  4. Log out and log back in as a cluster member
  5. Navigate to the Harvester dashboard via virtualization management
  6. Create a project and a namespace
  7. Navigate to the templates page
  8. Try to create a new template in the harvester-public namespace

Expected Results Users can see the harvester-public namespace in the dropdown but cannot create it successfully.

And after issue 2788 was fixed, the harvester-public namespace will be hidden in the dropdown.

Explorer Test case:

  1. Login Rancher as an admin user
  2. Create a user whose name is “member”
  3. Go to the local cluster -> Cluster member, Add a custom role: “View All Projects” for “member”
  4. Create a new project with a new namespace, and then add “member” as the project read-only member.
  5. Add a custom role: “Manage Workloads” for “member” image
  6. Login as the “member” user
  7. Go to create workload page, check the dropdown menu

Expected Results No namespace options can be selected.

image

+1
n313893254 on Sep 30, 2022
Read more comments on GitHub
← harvester: [BUG] Windows VMs crashing
harvester: [Doc] upgrade stuck while upgrading system service with alertmanager and prometheus →